Friday, October 5, 2012

Anyone who has spent enough time in Melbourne would have caught a tram and would have probably seen this poster:

It is a warning on the how dangerous it could be to be hit by a tram published in the interests of passenger safety by Yarra Trams.

My brain did a bit of a wobble and came up with this question:

"What would happen if magically each of the trams in Melbourne were to turn into 30 actual rhinos?"
The numbers worldwide of rhinos are scary. They are so close to being extinct so lets quickly look at them:

Javan Rhino - population is less than 60 individuals. Most of these rhinos are the Indonesian Javan Rhino subspecies. The Vietnamese Javan Rhino subspecies consists of 5 individual animals and may not recover. The Indian Javan Rhino is extinct.

Sumatran Rhino - population less than 275 individuals, with poaching on the rise

Black Rhino - population 3,725. West African Rhino species declared extinct in 2006. From 1980 until 2006, 14,000 were slaughtered by poachers.

Indian Rhino - population approximately 2,400, a conservation success story - but poaching is on the rise due to regional political instability

White Rhino: Northern White Rhino - it was reported on June 17, 2008 that the last 4 individuals were killed by poachers. Southern White Rhino - 14,000 surviving, due to conservation efforts

So if 1 Melbourne tram turned into 30 rhinos.... it would only take 2 trams for Melbourne to have half of all the Javan Rhinos in the entire world.

It would take 10 trams to turn into 30 rhinos each for Melbourne to have as many Sumatran Rhinos as there are in the world.

It would take only about 120 trams for Melbourne to have as many Black Rhinos as there are in the world. Poachers have killed about 500 trams worth of rhinos recently leaving us with only 120.

There are about 466 trams worth of White Rhinos left in the world.

Yarra Trams have a rolling stock (according to Wikipedia) of 487. So if each of these had to change into 30 real rhinos that would leave Melbourne with 14610 rhinos.

The population of Rhinos would almost double! That is how few of these iconic and beautiful animals are left.

Also, depending on which type of rhino the trams turn into would probably determine how the city itself would react.

White rhinos are pretty relaxed ("no worries") and would generally just stroll around looking for some grass to eat like some large, grey, horned cows. They would do this in herds of about 15 - so a tram would yield 2 herds.

If the trams turned into Black Rhinos then Melbourne would have a bit of a problem. It would have a quarter of all Black rhinos in the world which would be an amazing thing for conserving this magnificent beast (if only!) but these are very angry and aggressive animals. They will charge for no reason and they can show what their horn can be used for (not decoration or medicine). They are also territorial and will fight each other. They can also run at speeds of about 50Km/h. On top of all of this - the city would be impossible to get out of because the roads would be blocked by huge beasts, there would be no trams, and walking and cycling would be dangerous.

But at least the people of Melbourne would be privileged to see this beautiful beast before it is relegated to zoos or killed off totally.

Monday, October 1, 2012

[IT is out to kill the business - Business is out to kill IT. We all win!]

My dad has essentially worked for 2 companies in his 50 or so years in business and had he not emigrated, he probably would have stayed at one. I worked at 2 companies in just my first 5 years of full time employ. And this is not strange. No one viewed me as unstable or a "job hunter". It is just the way it works.

"Knowledge workers" moving companies is not something new with the average length of service to one organisation being about 3 years. I've heard that this is tending toward 2 years or even 1 year. Where will this trend lead?

It was only when I started compiling my most recent CV that I realised just how busy I had been over the 4 years that I was employed at my previous employer. But I still managed to have spare time. It would have been amazing if I could have done what I was doing but for 2 companies at the same time with both paying me for the output. Or even better - doing half of what I was doing but for 3 companies with another person doing the other half for 4 companies. There is only so many ways an "ISO 27002 compatible Antivirus standard" can be written and only so many variables that can be manipulated. All companies need to patch and all need to do so in the same time period so an "ISO 27002, Cobit and ITIL compatible Patching Process" would be almost identical for all of them.

Good thinking Allen, but there is a word for this - "Contractor". Exactly. And my employer had many contractor. And Australian businesses seem to have many more. But my argument is that the trend toward using more contractors can actually get to the point where there are no permanent employees in a company.

None.

I love the word "company". We are so used to using it that we never actually look at the word itself. "Corporation" is the same. A bunch of like minded people coming together to keep each other "company" and do something positive. So... lets explore that. A loosely joined "web" of people coming together and using technology to collaborate on a set of ideals. This sounds like a web-board. I haven't seen one yet but I could certainly label the idea of a "cloud company" as "plausible". Crowd sourcing an entire company including funders, workers, salespeople, delivery people, cleaners, security (the physical type...do we even need them if there are no premisses?), management, etc. And since everyone is a contractor, SLAs are important and everyone is measured. You don't need layers of management - you just need clear outcomes. If the whole thing falls apart then everyone just leaves. If it works then the whole process is repeated. There is no workplace and no work hours. There is no receptionist but there may be someone hired to communicate with the outside world and they would need to be available during office hours. (Or this could be outsourced and have a follow-the-sun communication plan) - imagine a company that is working 24 hours and that can be contacted at any time.

The interesting thing here is "who owns the intellectual property?" The general processes and procedures and "intellectual property" such as "patch management", "how the phone should be answered", "how is the product packed" and "how fast should it be delivered" could belong to the individual contractors. The IP that I am interested in is the "core IP". The recipe for the product, the design of the product, the trademarks etc.

So, using technology and IT, it is possible to have a company with no "company". No buildings, no desks, no "office hours", no front desk, lawn to mow, delivery vehicles, office. Just a technologically connected bunch of like minded people with a single outcome. The technology is available, we just to use it and companies have been dipping their toes into this slowly. This is something that doesn't happen overnight. But it is happening. One benefit is that the "employees" can work on a number of projects all at once. Or not. It is their choice but using facebook to waste time waiting for the end of the day is no longer an issue.

So... IT is out to kill Business.

Then we have the other trends which are mostly being driven from the non-IT part of the business. These are Cloud Computing, Consumerisation and BYOD. IT is brought in and asked to manage these but these are all areas where the IT department has had full control and has had to relinquish some of it so that Business can work with the tools that they want and using services that they are familiar with but without the red tape that IT can spin when delivering on an "enterprise ready" solution. Taking this further, is it possible that Cloud services could make it simple for Business to totally bypass IT altogether and put their own solutions together without bothering IT. This could include "I have a new employee in my team. Let me just hook him up with a mailbox and a fileshare" to "I need a way to track my sales staff" to "I need a way to report on the company financials." etc.

Where does that leave IT? Well, in quite an interesting position. There should probably be someone to manage the services even if they are "cloud" or "PaaS". This also leaves IT in the interesting place where they become advisers to Business and architects. "Did you know that you can use this service to monitor your staff? No? I'll just hook it up for you. They offer 30 days for free." etc

So IT ends up being forced to talk "solutions" to business rather than "tech talk" and gradually manages the IT systems outwards until there is no IT department but internal IT consultants offering solutions to business people who own their own IT solutions.

Both of these scenarios are not exclusive - they can both happen. And are happening. And, in fact, feed off each other. The less red tape that business needs to deal with - the quicker they can create flexibility and allow work to be done by contractors. Some companies will take longer to get to "a loosely bound group of like minded people working toward a goal" without the traditional company holding them together but it will come.

This may sound like fiction but ask anyone 50 years ago about whether they would trust someone who moves jobs every 2 years and they would find it difficult to do so. Now it is normal.

So, (you ask) where does this leave Information Security? And I was hopeing that you wouldn't have asked. It is not an easy thing to answer. This movement toward less central control will scatter the IT field (mainly) with concepts such as "Cloud", "PaaS", BYOD, "consumerisation". And IPv6 will just accelerate the change. In all of these cases we end up with less control and more freedom. But the controls don't go away. They just change. In fact, in some cases they get better. In some they get more complex and in some the controls that were important but were overlooked become essential.

The information security team really needs to get more of an understanding of the company and who owns which piece of the process from raw material to money in the bank. Who owns what information and what can be ignored and what is the essence of the organisation - the IP that is so specific that the company is defined by it.

Forget patches and antivirus patterns. Those can be outsourced. Information Security is about working with the company to know itself and how the essence of the company can be protected from those that will do it harm. And we need to do it quickly while the company is still an entity on its own.

Friday, September 14, 2012

HD Moore's Law is a joke. And not a very funny one either being a pun and having a requirement of being very technical and requiring knowledge of the IT Security community just to get half way to understanding it. It usually requires the user of the term to explain why it is funny and that is a serious faux pas when it comes to jokes.

So, let me explain the joke. :)

Moore's Law is pretty well known. The majority of people know it as "computers will get faster each year" which is close enough to the actual definition as to be useful for making decisions such as "I don't need a PC right now, should I wait a bit?" The answer is "yes, if you wait then for the same amount of money you will spend now, in the future you can get a more powerful PC." Moore's Law.

(The actual law itself was coined by Gordon E. Moore from Intel who predicted that the number of transistors on a chip would double every 2 years.)

HD Moore created MetaSploit which is a framework for creating and running exploits. Being a framework, it is as clever as the person using it and can be used to break into anything with enough time and patience and understanding. However, it can also be used by someone with minimal knowledge and understanding to quickly break into a badly protected system.

This really divides attackers into two camps - dedicated and opportunistic. The controls to protect against both of them are very different but initially an organisation should be protected at the very least against opportunistic attackers. This is HD Moore's Law.

But the exploits available on Metasploit are always changing and the systems that can be attacked are expanding. There are modules available to attack PHP. This means that PHP falls into the "opportunistic" area of HD Moore's Law.

My question...finally....is this....

What level of patch does each and every type of software have to be at to avoid falling foul of HD Moore's Law?
Does anyone know?

Because, jokes aside, (and it wasn't a particularly good one to start with) knowing that an organisation is not at risk from opportunistic attacks would be useful - more so than knowing ISO compliance or that staff are deleted off the system within .578 microseconds of leaving the organisation.

Then more dedicated attackers can be targeted using the controls aimed at them.

Tuesday, September 4, 2012

Habit 4 is the first habit to deal with “others”. The first
3 habits are internal – 4 is external.

Think “Win-win”. This is almost impossible for a security
professional. Almost.

The issue is that every
change to a system (from a lonely PC to a worldwide network) has some risk to
the system itself and mostly in terms of availability. In some cases the risk
is 100% - for example when a system needs to be rebooted after a patch is applied
or even when a service needs to be restarted. It may be a quick reboot and it
may be done during a patch window but either way someone needs to sit, sweating
and biting their nails, while the box goes through the motions of starting up. In
some cases the order that Servers are restarted is important.

I have been attending many
job interviews recently and they one question that comes up very often, (and
for good reason) is: how do I (Allen specifically) manage teams where there is
no will to perform security tasks. It is not easy; security generally does not
get given the correct amount of authority to demand that the security tasks get
carried out. Nor does the security team generally perform the tasks that are
required to keep the organisation secure. Compliance does help (“The auditors
are not going to be happy. “) but this sounds like a winey way to get force
administrators to perform the security tasks and since Audits are usually
annual the Servers tend to be fully compliant once a year at audit time.

Generally, you need buy-in.
The easiest way to do this is to live the values yourself. Is it really
necessary to patch? Really? All the servers? What if we leave out a couple,
maybe the production machines which are all running an older version of
Windows? If you don’t have good answers to all of these questions. And by that
I mean *good* answers then how do you expect to be taken seriously? The thing I
really like about the habits is that they all make sense but more importantly
they make sense together. So understanding why you do something is a totally
different habit. (Habit one.) Mastering that habit makes you surer of yourself
when faced with these questions. It makes it easier to bring the people that
count (in this case, the Administrators) around to be on your side.

Once you have buy-in from the
Administrators (and their managers) you should approach them to come up with a
viable (and practical) plan for performing their tasks. The amazing thing is
how much better this works when it has been created by both the security team
and the services team (or whoever is going to perform the security task.) When
the team knows upfront what is expected and when and can put the methods in
place without surprises and has the backing of the security then the processes
just flow.

Another place where this
habit is important is combatting the idea of the “Dr No. Security Guy”. The
idea of this is that Security should not ever be the guy to say “no” to a
project or idea without fully thinking it through and trying to arrive at a
win-win outcome. It should be a project that is useful to the business, not too
expensive to implement and as secure as necessary. A good way of approaching a
project that you believe would be too insecure is to start with “I agree that
this may be a good idea for the business but I believe that the controls we
would need to implement to secure this solution would make it too expensive for
any benefits.” You then show what these controls should be and leave it up to
the project sponsor to make a decision. Sometimes a project decision made with
no thought like “we want it to be a PaaS solution” can be reversed when the
security controls are included in the final design without scapping the entire
project. Example:

“We want the new solution to
be PAAS”

“Why?”

“Because that is our project
parameter”

“Um…ok…there are a few
things we will need to implement though.”

“Like?”

“Well, for network security
we will need to put in a Firewall and IPS and something to monitor them and
collect the logs. We will need to do application security since this faces the entire
world. We will need to set up someone to monitor all of the equipment. We will
need to arrange with the service provider some time to do patching and general
maintenance. We will need to do a physical security audit. We will need to have
a monthly meeting with the service provider to discuss security controls. The Audit
team will need to add this to their annual audit. Plus we will need to
investigate the increase in bandwidth costs for us to be able to access the
solution. After all that we may need to look at DR and BCP depending on the
criticality of this solution.”

-Pause-

“What is the alternative?”

“We host it inside our
network where all the infrastructure is already in place and monitored and you
have to pay very little for additional security infrastructure. If it helps, we can host it on a
virtual machine and you can call it ‘private cloud’”

Steven R Covey died on July 16, 2012. This is sad news indeed. I really liked his 7 habits work. It was (like ISO27002 and the like) a good framework but not a good standard. And therein lies its power. It is like powered milk – without adding something then you have nothing. I took the 7 habits and started (5 years ago!) to make a series called the 7 habits of highly effective security policies.

I got stuck at habit 3. I honestly have tried over the last 5 years to write a blog post that is acceptable to my standards on habit 3 but now that I reflect on it, it’s a good thing that this one is the most difficult. It is also the one that everyone should define for themselves. I believe this is the core habit and while the other habits are easy to adopt with practice, this one needs to be revisited often. It can’t become a habit. So, I am leaving this one out for the readers to do for themselves.

The only advice I can offer here is that as a security professional you will always have something urgent to deal with. You will always be reacting to the latest exploit in the news, the latest report from the auditors, the latest breach. There are new virus definitions every day and new patches every month. You are always reacting. You have to set some time aside for proactive security. For acting. How you do that is up to you but it has to happen.

Tuesday, April 24, 2012

[Almost every country in the world protects its citizens' person information. Almost.]

This is an example of a Membership Application form that I needed to fill in to be able to rent a video. You'll notice that besides all the usual stuff, they have asked for my date of birth, ID number, employer. They need to know my next of kin which is interesting.. in case I die while hiring a video, at least they can get their video back. Not sure what it helps having my car registration number. I can just picture driving through a roadblock - "Mr Baranov... do you realise that your copy of Twilight is overdue by two days. For that I will give you a fine. Further, for even renting that video.. another fine."

The point is that there is a lot on this page that is unnecessary. Under the proposed Privacy Act, a company would have to be able to answer why each and every field is required for each and every form. Further, they would need to make sure that they protect your information to a reasonable amount of care. Further they would need to notify you if they suspect that your information is leaked. They would also have to contact you if they need more information or need to use the information for other purposes. And they would not be able to share this information with other companies.

Right now there is no legislation making it illegal for companies to share information (excluding credit information). This video shop could (I'm not saying they would) easily share all this gathered information with anyone they wanted and could even sell this information. Most people ignore spam sent to "Dear Sir" or such but spam made using this information could be sent to you and addressed "Dear Mr .....".

Also, since the company doesn't have to do any protection of information and doesn't need to notify anyone of a breach - this increases the risk of your information leaking. So lets look at two cases...

The information leaks and someone wants to infect your PC so they can use it to send spam or to use it to steal your money using something like Zeus... they send you an email addressed to you specifically looking as though they are from a garage. Since they know where you live, they can customise the email to be a garage in your area. They could also make it specify your registration number.... "Mr Baranov, I am from <Big Name Garage> in Blahblahville. Your car registration number EGG156GP was recently at our garage.....please look at this bill in pdf format". At this point you are either surprised or cross ("I never took my car to that garage!") Either way, you open the attached pdf to get more information and your PC is infected. You know not to open attachments from places you don't know but these people seem to know so much about you...

Alternatively, the thieves use the ID number to create a fake ID book. They use the employer information to create fake pay cheques and take out credit in your name. They have enough information above including your telephone numbers, address and even friends of yours. Even if the company granting the loan phones the company you work for, they would confirm employment ... "Yes, Allen works here"

I'm not picking on this particular video rental company (hence the company name covered) because all companies from big to small collect more information than they need and don't necessarily protect it to the best of their abilities and without laws in place they won't because protecting customer information is difficult and costly and breach notification is embarrassing for a company.

Almost all countries in the world have laws protecting their citizens and their information. South Africa has one of the best based on bits taken from the best Privacy legislation from around the world. It is currently in Bill form so it is not yet approved and is not binding as a law. Anyone who is concerned about their personal information, is sick of spam and nervous about hackers taking over their bank accounts should want this law to be passed as soon as possible.

Friday, March 9, 2012

This is the third time I am writing this blog post because I just couldn't seem to get the thought straight and the tone and level right. My first two attempts took a whole bunch of text to say this:

Basically Firewalls came before NAT. NAT is a magic network concept that creates a type of one-way-mirror allowing devices on the inside of the firewall to establish a two way communication session without the other side knowing exactly what device is making the connection and devices outside the firewall can't establish a connection to devices inside the firewall.

(The above paragraph is not totally correct but it is correct enough and stops me having to type a whole networking 101 essay which is besides the point of this post. If you know better exactly what NAT is about then smile smugly, if you don't accept that the above is "correct enough". Either way - read on.)

NAT is so effective that almost half (wild estimate) of hackers' tools and time and thoughts revolve around getting past NAT- the only effective way being to get the inside device to "dial-out". (Think of the protection that NAT affords us as being a door that opens only from the inside and hackers concentrate on getting someone inside the door to open it.)

So, while Firewall rules and policies are weird and wonderful little twisty adventures, NAT pretty much makes them redundant.

And Firewall engineers know this (although may not admit as such). So, then, what is the point of this article?

IPv6 is coming and with it the loss of NAT. We won't need it any more. And we won't want it.

This is my opinion and the network security and general network engineers disagree with me. They argue that NAT is so useful that we will have it around for many years even once IPv6 becomes the norm. Either we will stick with IPv4 private networks inside and IPv6 networks outside or we will have IPv6 networks inside that will remain private.

I have three arguments against this and time will tell whether I am right or wrong.

1. The number of devices will explode. We are well on the way to this already but I think it will accelerate. We have the hardware, we have the software. We just need it all to become easy. So, look around you and imagine what would not benefit from being connected (ignoring security for the moment). Your car keys could beep when you SMS them - what a lifesaver. Your desk could sense when you are behind it. Your chair could auto adjust depending on who was sitting on it. Your desk calendar could be digital. The lighting above you could notify you when the light bulbs are due to run out. They could turn on and off depending on whether someone was in the room. Your desk phone would have an IP address and not a telephone number. That is a lot of IP addresses, now times it by the number of people in a site, then by the number of sites in the company etc. It is starting to add up to a lot of IPs especially since companies are already struggling to allocate IP addresses just for the devices we have now. A company with 2000 employees and each one has 30 devices needing IP addresses would be testing the limits of IPv4.

2. "We are an X shop" is a joke. Most companies stick by the "we are a Microsoft shop" and so only allow Microsoft products. That is, until the CEO wants an iPad. A month after the iPad was released Gartner did a quick poll and three quarters of the CEOs asked had company issued Ipads. How did the companies manage to roll out a proper policy in time, how did they do governance? How did iPads become a strategic tool? It didn't. The CEO asked and the CEO got. Then upper management, upper-middle management, etc. All of a sudden the iPad was a business tool. IPv6 devices that are connected will be so unbelievably cool in ways we can't even imagine now. They will be the cutting edge and they will make your CEO and all your staff so cool. And because they are connected, they will make them cool to their peers. And the ones that are portable - like the keys you can SMS will work without a problem at the CEOs home but not on your antiquated IPv4 network. Guess what will happen then.

3. Management of IPs on an IP by IP basis will become difficult to impossible. So, where does this leave the network guys? How do you manage 30 devices per person? Should you even? Should these devices talk out of the network? What is allowed on the network? What is not? What should talk to what?

So, what does this mean for the Firewall? Well, I don't know. Already with NAT there are Firewalls that have way too many rules. They have rules that are never used, and those that are too big for their purpose. There are rules that are just plain dumb and ones that are highly critical to the business but no one knows how they were made or why just that closing them would stop business. What happens when everyone in a company has over 30 personal IP devices, some that are on a public network and some that are not, some that talk out, some that are talked to, some that talk amongst each other, some that dial out, some that are expecting connections from others, some that will be for safety reasons (think firefighting equipment that checks pressure on a minute-by-minute basis and phones home with the results), some that will be in use by the coolest people in the organisation (the marketing guys with thick black rimmed glasses), some that will be used by your CEO (and when they stop working, you get notified via the CIO who is pissed off that his boss is unhappy) and most that have some blatantly stupid vulnerability that script kiddies are constantly polling for. Oh, and lastly, this will all happen on port 80 by the way.

Mr Firewall, it is time for you to step up. IPv6 will set some challenges for you.

[PS. While writing this article I was wondering if it would not be a plan to actually scrap internal networks altogether and go for a "GPRS-type" network where everything is all in the open anyhow. How one would protect against vulnerabilities on the devices, I'm not quite sure. Also, you'd need to block your servers off from the open network... or they may be "in the cloud" already. Maybe every one of these devices would need its own little firewall. Discuss.]

I am currently searching for a job so if any of my dedicated readers know of anything...please let me know.

I have about 10 years of experience in Information Security and am currently an Information Security Analyst for The South African Breweries Ltd. I have built up a wealth of technical knowledge but my most recent experience is in management which means getting vendors to put security controls in place, risk assessments, awareness, security architecture, policies and related documentation, etc.

I am well known in the security community in South Africa for my passion about Information Security and willingness to talk at length about the topic.

I am looking for something along the lines of "Security Analyst", "Security Manager", "Security Architect" as I feel my skills would be quite appropriate for these or similar job titles.

My preference would be to stay in Johannesburg or Pretoria but I would be happy to consider anything in South Africa or even overseas.

I don't want to bore you with all my details but anyone who is interested or may know of someone interested, please can you email me at: baranov <at> elucidate <dot> co <dot> za and I will forward you my full CV and supporting documentation.

PS. Any job that would require "out of the box" thinking would be very highly considered. My favourite project was an awareness project that I did covering the topic "phishing" which I am particularly proud of and would elaborate on but I have to save something for the interview...